ClawHub

Baidu Cloud Storage

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Baidu Drive file-management integration, with expected cloud upload/download/share and memory backup behavior that is mostly scoped and user-directed.

Install only if you want an agent to manage Baidu Drive files and, on request, back up agent memory files to Baidu Drive. Review uploads, share-link creation, restores, updates, and uninstall actions before approving them, and avoid using the login flow on shared or untrusted machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples normalize uploading files and creating public share links without reminding the user that these actions disclose data to a remote service and may expose it to others via shared URLs and extraction codes. In a file-management skill, omission of privacy and disclosure warnings can lead users to unintentionally publish sensitive local or cloud content.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The download examples show writing remote content directly to local filesystem paths without noting that existing files may be created or overwritten and that downloaded content comes from a remote source. This can surprise users and create integrity or storage issues, though the examples themselves do not show outright exploitation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file-management examples perform mutating remote actions such as move, copy, rename, and mkdir with no warning that user cloud data will be changed. In a cloud-storage skill, silent normalization of destructive or organizational changes increases the chance of accidental data loss, confusion, or acting on the wrong path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The backup script archives local data, uploads it to a remote service, and deletes the temporary archive, but provides no warning about the sensitivity of archived contents, remote transfer, or local cleanup side effects. This is dangerous because users may run it on confidential directories without understanding the disclosure and deletion implications.

VirusTotal

1/61 vendors flagged this skill as malicious, and 60/61 flagged it as clean.

View on VirusTotal